Register now or log in to join your professional community.
In Windows Server2012 /2012 R2 , You can demote domain controller forcefully by following procedure.1- Launch Server Manager , Click on Manager drop down menu and select Remove roles and features.2- On Select Destination Server page , Select the server you want to demote and click next3- On Remove Server Roles page , Uncheck box for " Active Directory Domain Services" and click next.4- Validation result will appear and click on Demote this domain controller.
5- Here you will find option for "Force the removal of this domain controller" Using Powershell:1- Logon Server with Enterprise admin rights and open windows Powershell with administrative rights
.2- Run the following Command
uninstall-addsdomaincontroller -forceremoval
You can also use other switches with above command such as
-LastDomainControllerInDomain-NoRebootOnCompletion
In windows2008, we can use dcpromo /forceremoval
Procedure to forcefully demote a domain controller:
Scenario1: If the domain controller can boot into normal mode:
1. Click Start, click Run, and then type the following command:
dcpromo /forceremoval
2. Click OK. If Certificate Services is not removed, you will get a message to remove it first. If FSMO roles/GC are not seized from the DC, you will get a message to transfer the roles to another DC.
3. At the Welcome to the Active Directory Installation Wizard page, click Next.
4. At the Force the Removal of Active Directory page, click Next.
5. In Administrator Password, type the password and confirmed password that you want to assign to the Administrator account of the local SAM database, and then click Next.
6. In Summary, click Next.
7. When it finishes, click Finish and reboot the computer.
Scenario2: If the domain controller cannot start in normal mode:
1. Restart the computer, and then press F8 to display the Windows Advanced Options menu.
2. Choose Directory Services Restore Mode, press ENTER, and then press ENTER again to continue restarting.
3. Modify the ProductType entry in the registry. To do this, follow these steps:
a. Click Start, click Run, type regedit , and then click OK.
b. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\ProductOptions
c. In the right-pane, double-click ProductType.
d. Type ServerNT in the Value data box, and then click OK.
Note If this value is not set correctly or is misspelled, you may receive the following error message:
System Process - License Violation: The system has detected tampering with your registered product type. This is a violation of your software license. Tampering with product type is not permitted.
e. Quit Registry Editor.
4. Restart the computer.
5. Log on with the administrator account and password that is used for Directory Service Repair mode.
The computer will behave as a member server. However, there are still some remaining files and registry entries on the computer that are associated with the domain controller. If the domain controller cannot start in normal mode do the following:
- disjoin domained (joined new workgroup)
- install DNS Server and point to itself
6. Start Registry Editor and locate the following registry entry:
HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\NTDS\\Parameters
If there is an entry for Src Root Domain Srv , right-click the value and then click Delete. This value must be deleted so that the domain controller sees itself as the only domain controller in the domain after promotion. Go through the following keys to delete reference to the old domain controller:
HKEY_LOCAL_MACHINE\\Software\\Microsoft\\ADS\\LDAP\\CN=....
HKEY_LOCAL_MACHINE\\System\\CCS\\DNS\\Parameters|PreviousLocalHostName
HKEY_LOCAL_MACHINE\\System\\TCP\\Services\\TCPIP\\Parameters|Domain and NV Domain
7. Remove the remaining files and registry entries. To do this, follow these steps:
a. Start the Active Directory Installation Wizard.
b. Install Active Directory to make the computer a domain controller for a new, temporary domain, such as "psstemp.deleteme."
Note Make sure that you make the computer a domain controller in a different forest.
c. After you install Active Directory, start the Active Directory Installation Wizard again, and then remove Active Directory from the domain controller.
Perform a metadata cleanup for the demoted domain controller on a surviving domain controller in the forest. Active Directory stores a considerable amount of metadata about a domain controller. During the normal process of uninstalling Active Directory on a domain controller, this metadata is removed from Active Directory through a connection to another domain controller in the domain. A forced removal assumes that there is no connectivity to the domain; therefore, it does not attempt any metadata removal (cleanup).
Consequently, forced removal of Active Directory from a domain controller should always be followed by the metadata cleanup procedure, which removes all references to the domain controller from the domain and forest
